[
https://issues.apache.org/jira/browse/AMQ-9661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18022736#comment-18022736
]
Robbie Gemmell commented on AMQ-9661:
-------------------------------------
When you specify e.g SSLContext.getInstance("TLSv1.3") you are actually _not_
asking for _only_ _TLS 1.3_ support as you believe. You are asking for an
instance that _does_ support TLS 1.3 {_}and which may potentially support other
protocols{_}. See the security standard-names documentation at
https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#sslcontext-algorithms
In practice this usualy tends to mean the instance returned supports a specific
protocol if asked for in the passed string, e.g 1.3, as well as the lower
versions. However modern JDK releases disable TLS 1.0 and 1.1 out of the box
for security reasons, effectively making 1.2 the lowest. So when you asked for
SSLContext.getInstance("TLSv1.2") you will now often only get 1.2 support, as
the lower ones are already disabled. However when you ask for
SSLContext.getInstance("TLSv1.3") you will often get a context that supports
and enables _both_ 1.2 and 1.3 on a resulting SSLEngine...unless you also set
the enabledProtocols option to govern which of the _supported_ protocols are
then actually left _enabled_ on the resulting SSLEngine created.
In short, this is the JVM itself doing what it is allowed to do and essentially
always has done.
> ActiveMQ client jar code is sending both TLSv1.2 and TLSv1.3 in the
> ClientHello message, even when TLSv1.3 ssl context is set in SSLContext
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: AMQ-9661
> URL: https://issues.apache.org/jira/browse/AMQ-9661
> Project: ActiveMQ Classic
> Issue Type: Bug
> Components: JMS client
> Environment: * {*}ActiveMQ jars Version{*}: 6.1.5
> * {*}JDK Version{*}: JDK 17
> * {*}Operating System{*}: linux
> Reporter: Sumit Sharma
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 6.3.0
>
> Attachments: TlsExample.java
>
>
> We are configuring *ActiveMQ client classes* to use *TLSv1.3* explicitly by
> setting the {{org.apache.activemq.broker.SslContext}} as follows:
> SslContext mqSslcontext = new SslContext();
> mqSslcontext .setCurrentSslContext(
> javax.net.ssl.SSLContext.getInstance("TLSv1.3"))
> However, during the {*}SSL handshake{*}, the *ClientHello* message sent by
> ActiveMQ still includes both *TLSv1.2 and TLSv1.3* in the
> {{supported_versions}} extension, instead of restricting it to *TLSv1.3.*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
